This seems to be allowing unsafe script injection from ONLY certain whitelisted urls, presumably excluding the url globs required for the ads. Haven't tested it, and not sure the full extent of pshc's sibling response either.